Episode image for The Privacy Parables II: The AG’s Privacy Report and the Future of Privacy in Australia
Episode 91 Buy Episode

The Privacy Parables II: The AG’s Privacy Report and the Future of Privacy in Australia

Law as stated: 30 June 2023 What is this? This episode was published and is accurate as at this date.
Rejoin data wizard and Clyde & Co Partner Alec Christie as he braves the Curiosity Recording Room for the second time on the subject of the Privacy Act Review Report. Touching on the small business and employee records exceptions, the "right" to be forgotten, and a proposed direct right of action.
Substantive Law Substantive Law
Alec Christie
Clyde & Co
1 hour = 1 CPD point
How does it work?
What area(s) of law does this episode consider?The Privacy Act Review Report and the future of privacy in Australia.
Why is this topic relevant?On 16 February 2023, the Attorney-General’s Department published the long awaited Privacy Act Review Report (Report). The Report represented the finale of two years of consultation and review of the Privacy Act 1988 (Cth). The question at the heart of the Report was whether the Act and its mechanisms were still fit for purpose.

The difference in the digital environment when the Act was passed and the digital environment in which we all live today is stark. The official birthday of the internet is recognised as 1 January 1983 – just five years before the Act. And the World Wide Web – the way we interact with information on the internet today – wasn’t even a twinkle in the eye of Tim Berners-Lee until 1989, and wasn’t royalty free for widespread use until 1993.

The explosion of the digital economy since has generated massive benefits for consumers and businesses. But the price of access to the modern digital economy is data. And since 1988 ever larger amounts of it have been generated, stored, used, and disclosed.

What legislation is considered in this episode?Privacy Act 1988 (Cth) (Act)

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill)

What are the main points?
  • The Commonwealth Attorney General’s Department published the Report in February 2023, following a two-year consultation period.
  • The report aimed to determine whether the Act and its mechanisms are still suitable for modern-day Australia.
  • The Report proposes 116 reforms to the Act. An overarching theme of the report is to bring Australian law closer to GDPR standards.
  • The Report proposes changes to the definition of personal and sensitive information from “about” a person to “related to” a person.
  • It may result in a 30% increase in information caught by privacy laws for some businesses. This, however, is a sensible change in the increasingly digital world as virtually everything collected can be connected to an individual.
  • The Report also proposes preventing companies from using synthetic data or making inferences that could be related to identifiable individuals. This is similar to the GDPR’s restrictions on profiling for marketing purposes.
  • The Australian government is considering a new code of conduct that would apply to all online services dealing with children.
  • This would be in addition to the eSafety Commissioner’s existing powers. The code would require online services to implement privacy protections for children similar to those in the US’s Children Online Privacy Protection Act.

Small business exemption

  • The current small business exemption benefits small businesses, but when acquired by a non-exempt business, compliance may become an issue.
  • In 1988, it was unlikely many small businesses collected personal data. In the digital age, it is now estimated that 98% of small businesses do so.
  • The exemption will likely be removed, though more consultation may be needed to determine the potential impact.

Employee records exemption

  • The Fair Work Commission has already somewhat eroded the exemption.
  • It is expected to be removed given most businesses are already limiting their reliance on it.
  • Employers who rely on this exemption can be viewed as untrustworthy and face negative consequences.
  • Businesses should be transparent and proactive in their approach to employee data protection.

Data breaches

  • Recent high-profile data breaches have led to increased interest in data destruction and data discovery.
  • Companies are now mapping out what data they have and where it is stored and are focusing on de-identifying or destroying data that is no longer needed. This reduces the risk of a data breach and its impact.
What are the practical takeaways?
  • Delete excess data. This will significantly reduce both the risk of a data breach and also the impact of that data breach when it happens.
  • 75% of Australian privacy requirements may seem like common sense, however, the remaining 25% is where the difficulty lies. The 25% require experience and understanding of the space.
  • Alec anticipates that 80% of the Report’s recommendations will be accepted. Privacy law practitioners should discuss the upcoming changes with their clients as it may require significant financial and time investment.
  • According to Alec, the three cannots of privacy law are:
    • You cannot collect whatever you want.
    • You cannot use it for whatever you want.
    • You cannot keep it for however long you want.
  • A possible fourth cannot arising from the Report is that you cannot rely on de-identification.
Show notesAttorney-General’s Department, Privacy Act Review Report (2023)